AI-Enabled Phishing at Scale and Defensive Implications
Threat actors are increasingly using AI to industrialize phishing, generating high volumes of near-unique emails and rapidly iterating lures, links, and attachments in ways that degrade the effectiveness of signature-based and gateway-centric controls. Cofense-reported telemetry cited in industry coverage indicates enterprises saw one malicious email on average every 19 seconds during 2025, with campaigns often reusing underlying infrastructure even as message content continuously mutates. Phishing sites are also becoming more adaptive, tailoring content and payload delivery based on the victim’s device and environment (e.g., different outcomes for Windows, macOS, and mobile), while collecting detailed browser and system attributes to support customization and evasion.
This shift is driving executive concern and shaping security investment priorities for 2026, with broader industry reporting highlighting AI-enabled attacks, fraud, and phishing as top risks and positioning AI-enabled security as a key countermeasure to keep pace with adversaries’ automation. Separately, an opinion-focused piece argues that AI changes the “build vs. buy” calculus for security teams by enabling more internal tool development and altering what types of security products deliver value; however, it does not provide incident-specific or phishing-specific intelligence. Overall, the most actionable signal across the sources is the operational reality of AI-driven phishing volume, adaptive delivery, and evasion—reinforcing the need to prioritize resilient detection and response capabilities over static indicators alone.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Help Net Security reports AI-driven phishing trend
Help Net Security published reporting that AI was reshaping phishing economics and effectiveness, citing Cofense analysis of large-scale, adaptive campaigns. The report consolidated observed 2025 developments in phishing tradecraft and infrastructure reuse.
Conversational BEC-style phishing and remote tool abuse increase
By 2025, attackers were increasingly using linkless, attachment-free conversational phishing and abusing legitimate remote access tools hosted on trusted services and signed with valid certificates. These tactics reduced obvious indicators and improved attacker credibility.
Phishing pages become adaptive to victim environment
By 2025, phishing pages were increasingly tailoring content and payloads to a target's device, browser, and locale while collecting telemetry for evasion and customization. This marked a technical evolution in phishing delivery and effectiveness.
AI-driven phishing campaigns scale polymorphic attacks
By 2025, attackers were using AI to generate, test, and scale phishing campaigns with constantly changing wording, structure, and delivery paths. Cofense said this made polymorphism the default mode, weakening blocklists and signature-based detection because many URLs and file hashes were single-use.
Enterprises see malicious emails at high frequency in 2025
During 2025, Cofense reported that enterprises detected one malicious email on average every 19 seconds, underscoring email's continued role as a primary initial access vector. The finding reflects the scale of phishing activity across the year.
Cofense observes sharp rise in .es domains for credential phishing
In early 2025, credential-phishing activity increasingly used .es domains, indicating a shift in attacker infrastructure and domain preferences. The change was highlighted as part of broader phishing adaptation trends.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Industry Commentary on Phishing and AI-Enabled Cyberattacks
Security commentary published in early 2026 highlights that **phishing remains highly effective** despite improved defensive tooling, largely because attackers exploit predictable human psychological triggers. One analysis frames phishing success as a three-stage process—*bait, hook, catch*—where adversaries research targets, deliver tailored lures, and then convert engagement (e.g., link clicks or credential entry) into compromise; it also cites CISA-reported prevalence of phishing in successful intrusions and notes that while overall phishing volume may fluctuate, financial impact can still rise. Separate reporting and analyst content focuses on **AI’s growing role in the attack chain** but stops short of confirming fully autonomous end-to-end attacks in the wild. An international AI safety report and related coverage describe AI systems assisting with tasks such as vulnerability scanning and malware development, and reference prior claims of **semi-autonomous** operations (with humans making key decisions), including reported abuse of an AI coding tool to support intrusions against dozens of high-profile organizations with limited success. A technology roundup aimed at CISOs ties these trends to increased 2026 security spending and prioritization of AI-enabled defenses, but it is primarily forward-looking guidance rather than incident-driven intelligence.
Mar 21, 2026
AI-Driven Evolution of Phishing and Enterprise Security Challenges
Phishing attacks have become increasingly sophisticated, leveraging artificial intelligence (AI) to create more convincing lures and evade traditional detection methods. Recent threat intelligence reports highlight that attackers are now combining high-volume, automated phishing campaigns with stealthier, targeted intrusions, making it more difficult for security teams to distinguish between legitimate and malicious activity. Generative AI models are being used by threat actors to craft realistic phishing emails and malware, significantly lowering the barrier to entry for less skilled cybercriminals. The proliferation of AI tools within organizations, including unsanctioned 'shadow AI' applications, has expanded the attack surface and introduced new risks related to non-human identities such as service accounts and autonomous agents. Security experts emphasize that while AI can enhance defensive capabilities—such as anomaly detection and automated response—human expertise remains essential for interpreting alerts and guiding strategic action. The persistent threat of phishing is underscored by data showing that a significant majority of breaches involve social engineering, with phishing accounting for a large proportion of these incidents. Attackers employ a variety of techniques, including deception, impersonation, malicious links, and deepfakes, to trick victims into divulging sensitive information or performing actions that compromise organizational security. Despite advances in security technology, end users continue to be a primary entry point for attackers, as a single click on a malicious link can bypass multiple layers of defense. The challenge for defenders is compounded by human fatigue and resource constraints, which can limit the effectiveness of even the most advanced security tools. Experts recommend a multi-layered approach to defense, combining AI-driven automation with robust employee training and awareness programs. The adoption of phishing-resistant multi-factor authentication (MFA), zero-trust architectures, and behavioral monitoring are cited as effective strategies to counter evolving phishing threats. As organizations increasingly rely on SaaS applications and AI agents, identity and access management (IAM) has become the new front line in enterprise security. Open standards and centralized control over AI-driven interactions are critical for managing the explosion of both human and non-human identities. Security leaders are urged to maintain discipline in provisioning, permissions, and network segmentation, as AI can magnify the impact of any oversight. The ongoing evolution of phishing tactics, fueled by AI, demands continuous adaptation and vigilance from both technology and personnel to maintain enterprise resilience.
Mar 21, 2026
AI-Driven Phishing and Social Engineering Threats in 2025-2026
Security researchers and industry experts are warning of a dramatic escalation in phishing and social engineering attacks, driven by the adoption of AI by both attackers and defenders. Reports highlight that threat actors are leveraging AI to craft highly targeted, convincing phishing emails, automate attack campaigns, and reduce the time from initial compromise to full breach to under an hour. Human Resources-themed phishing, especially termination and compensation adjustment lures, have surged in Q3 and Q4, exploiting employee trust and urgency. Security teams are urged to maintain a human-in-the-loop approach, as over-reliance on AI for detection can create blind spots, and context-driven analysis is now essential to counter increasingly sophisticated tactics. Technical research and incident analysis reveal that attackers are using a variety of new techniques, including voicemail lures, open redirects, and legitimate hosting platforms to bypass traditional email security controls. The rise of mobile device attacks, supply chain threats via malicious apps, and the use of AI prompt injection in CI/CD pipelines further expand the attack surface. Experts recommend organizations strengthen mobile security, enrich detection with threat intelligence, and ensure skilled analysts remain involved in incident response to keep pace with the evolving threat landscape.
Mar 21, 2026